Design Decisions

This section presents some possible solutions taken into account for the development and implementation of PICSEL. Also, some of these options are discussed and explained. In the end, the electrical scheme of PICSEL is presented and discussed.

3.4.1 Test Scenarios

In reality, test scenarios will be the main requirement for PICSEL.

In a small scale, PICSEL will have to show how a real industrial process works, mean-ing that it should explain how all equipment, protocols and services interact with each other in each specific scenario. As previously mentioned, there are many different types of industries and each one with different requirements and necessities.

There are different types of industries (e.g. Energy, Smart Buildings) and it is impos-sible to implement all. Here, some facts are going to be presented and discussed in order to choose what type of industries are going to be implemented. This step of the project is important because future decisions will depend on it.

With so many industries available and, since this project is inclined to security topics, it is important to analyse some annual reports about ICS from some major security firms.

One of them, ”The State of Industrial Cybersecurity 2018” from Kaspersky did a good job pointing out some relevant industrial sub-segments. Not forgetting that these segments

are all interconnected to various degrees. The most relevant ones for OT/ICS, with the percentage of the importance to an organization, are smart energy (51%), Industry 4.0 (48%), smart transportation (44%), smart metering (43%), and smart cities (43%) [18].

In these metrics it is easier to have an idea of the industries that are struggling more with security problems, not forgetting that they are all very important. Each of these in-dustries have different specifications and, when implementing a specific scenario on PIC-SEL, difficulties can appear due to a variety of reasons, for example specific equipment, redundancy protocols or not compatible protocols. Besides these potential difficulties, it is important to analyse and experiment in different ways in order to recreate a specific industry.

3.4.2 Network Architecture

Network segmentation or subnetting, is the process of dividing a network into two or more networks, improving performance and its security. Considering a typical industry with different processes running, sometimes there are sections that are more critical than others, or sections that don’t need to communicate with each other. If the same LAN is segmented for different sections, then the performance would increase as the unnecessary traffic would not move on each network segment, neither would an attacker, that somehow gained access to one of the segments.

This segmentation can be done in a variety of ways. It can be done at a physical level, where the two networks are divided physically at a wire-level, one for each LAN segment.

Another way to achieve this is by the logical way, with software running in the router or by hardware using a switch. Finally, it can be achieved in the aplication level, for instance segmentation with firewalls. Some of these methods are further explained below:

• Routers are intelligent network devices, they can be configured to use the most efficient route to transmit the data. They work on layer 3 of OSI model, network layer, and the software can route data packets from one network to another based on their IP address. Each port of a router can be a separated segment, and routers are usually used to segment fairly large networks, in terms of geography or very high volume networks.

• Switches are data link layer devices that allow multiple LAN segments to be in-terconnected into a single larger network. Switches perform on hardware instead of software and therefore they are much faster than routers. Switches forward and flood traffic based on MAC addresses, layer 2. They learn the MAC address of the requester and the port or the location of the device which responded to the request, almost instantly. Switches can also be used to create VLANs, virtual segments in-stead of physically segmenting the network. The packets in a VLAN are sent only to the ports that are a part of the same VLAN.

Chapter 3. PICSEL 31

• Firewalls can be used not only to segment the network but can also monitor the traffic that is passing applying policies. There are different types of firewalls:

– Stateless firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values.

– Stateful firewall monitor the full state of active network connections. This means that they are constantly analysing the context and data packets. Also, it allows to approve or restrict certain kinds of traffic.

Having all these possibilities, during the development of the electrical scheme pre-sented at Section 3.5, it was considered that these options have identical power require-ments. The fact of PICSEL is already handling some of these types of equipment it becomes possible to support another type of equipment.

3.4.3 System Monitoring

To maintain a normal operation and security of an industrial process, it is very crucial to collect data from all equipment. During operation, in order to detect and prevent unusual anomalies, it is very important to collect a good variety of information, that is why this module is also so important.

System monitoring, depending on the size and complexity of the environment, nor-mally is responsible for controlling the technology in a process, such as hardware, net-works, protocols, services, among others.

All that information can be used to: detect and alert about possible errors, correlate different types of data, forensics and help security solutions with data.

Meanwhile, to collect this type of information it is important to analyse all equipment and understand the information that is important to collect. Bellow is presented some of the most important information that should be gathered from the different types of equipment:

• Network devices informationobviously gathering information about the network is very important. This information contains critical information about the status, errors, warning and configuration logs of the network devices.

This information provides details about the events, errors or any serious problems which can happen in a normal network infrastructure. Normally, to get this kind of information there are some standards and the most common ones are Syslog and Simple Network Management Protocol (SNMP).

• Control devices informationas important as the network information. This infor-mation should give us a perspective about what is happening on the lower levels of the Purdue model. There is a lot of information that can be carved from these

devices such as alarms, errors, downtime, configurations, firmware version and oth-ers.

During the selection of the equipment, not all equipment allowed for this type of options and functions. To support all these functions, the equipment must support them.